me/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: me:eea6125511bc31bde96fabf2571479d3dac52b0a
Branches Tags
me:main
..
compare: me:main
Branches Tags
me:main

39 Commits
eea6125511 ... main

Author SHA1 Message Date
v.karaychentsev
68df7ab696 immich: try add dns to reach pc for ML tasks 2026-02-15 00:32:24 +03:00
v.karaychentsev
c99cdf11dc try fix issue with broken redis 2026-02-15 00:26:47 +03:00
v.karaychentsev
3328ceecf7 immich: fix network for redis image after update 2026-02-14 19:35:23 +03:00
v.karaychentsev
f543c35d29 immich - update to latest version v2.5.6 2026-02-14 13:02:29 +03:00
v.karaychentsev
428f694eaa add initial setup scripts used for by-02 host (vpnwg.ulakar.com) 2026-02-13 18:24:00 +03:00
v.karaychentsev
cc467dcdf4 add beszel config 2026-02-13 18:21:08 +03:00
v.karaychentsev
4dce2b7037 add wgeasy setup config 2026-02-13 18:16:01 +03:00
v.karaychentsev
4559164bff vpn host - add caddy 2026-02-13 18:10:05 +03:00
v.karaychentsev
54bbce83a1 add postgres config. used for testing purposes for now 2026-02-13 18:07:45 +03:00
v.karaychentsev
a0c18e0c4b update user for mealie 2026-02-13 17:56:53 +03:00
v.karaychentsev
1834f2449a Add mealie service 2026-02-13 17:53:19 +03:00
v.karaychentsev
2cf4e6002c update filebrowser config 2026-02-13 15:38:37 +03:00
v.karaychentsev
8ab507ea5c add mealie (recepies) to caddy 2026-02-13 15:38:29 +03:00
v.karaychentsev
b6eff26522 fix filebrowser db path 2026-02-13 15:20:08 +03:00
v.karaychentsev
4072c90c6e add config folder for filebrowser 2026-02-13 15:14:23 +03:00
v.karaychentsev
1cdd635a35 filebrowser: update endpoint 2026-02-13 15:07:30 +03:00
v.karaychentsev
0055c7976c add filebrowser 2026-02-13 14:58:13 +03:00
v.karaychentsev
3f8f7fd325 filebrowser: update endpoint 2026-02-13 14:56:03 +03:00
v.karaychentsev
ace8d2351f homepage: fixed gitea hostname to docker container name 2026-02-13 14:47:32 +03:00
v.karaychentsev
bcf2213e45 homepage: remove disabled services links: librechat and authentik 2026-02-13 14:45:38 +03:00
v.karaychentsev
400f03970f beszel: mount secrets for agent 2026-02-13 14:39:31 +03:00
v.karaychentsev
d2bc75def7 beszel: fix keyfile paths 2026-02-13 14:35:14 +03:00
v.karaychentsev
103286ed27 Add beszel compose and secrets for agent 2026-02-13 14:31:16 +03:00
v.karaychentsev
9394795a75 add vaultwarden 2026-02-13 14:22:14 +03:00
v.karaychentsev
d7e96440d9 pihole - add compose and secrets files 2026-02-13 14:16:31 +03:00
v.karaychentsev
5e49b168c1 add glances service 2026-02-13 14:06:34 +03:00
v.karaychentsev
17b7029203 gameyfin: fix volumes paths to use /srv/rundata/gameyfin/ 2026-02-13 13:56:22 +03:00
v.karaychentsev
99c224c2e2 gameyfin: re-encrypt broken (with bom) sops file 2026-02-13 13:52:51 +03:00
v.karaychentsev
430869f610 add gameyfin service 2026-02-13 13:50:13 +03:00
v.karaychentsev
952eb75f1f databasus - add gitea_db_net 2026-02-13 13:43:31 +03:00
v.karaychentsev
ca709b9bf1 databasus - add backup service 2026-02-13 13:43:00 +03:00
v.karaychentsev
fc14d06616 homepage: add fastmail service link 2026-02-13 13:36:37 +03:00
v.karaychentsev
087d789494 gitea: add dns - need for smtp 2026-02-13 13:36:09 +03:00
v.karaychentsev
089786e292 gitea: set correct db host. pin network name 2026-02-13 13:27:20 +03:00
v.karaychentsev
68f402affd gitea - use secret files. gitea env to ini supports __FILE postfix 2026-02-13 13:18:58 +03:00
v.karaychentsev
885e530454 add option decrypt .env secrets as is to separate file for services that do not support docker secrets reading from file. 2026-02-13 10:57:56 +03:00
v.karaychentsev
ae4efa868f Add gitea config. Extract secrets to sops encrypted file. 2026-02-13 10:18:38 +03:00
v.karaychentsev
c9328dbe5c Add gitea docs from v1.19. because in later versions the info about sshhing shim is removed from docs for unknown reasons. And forgejo references latest docs. So it was necessary to get docs from old git branch. 2026-02-13 09:14:22 +03:00
v.karaychentsev
72ef1ed2a3 update sops config. Decided to use an approach when encrypted file contains only secrets. This approach does not require to configure encrypted_regex stuff. 
.env files are going to be used for .env secrets for containers that can't read secrets from file.
.yaml files are for secrets that can be converted into docker secrets (key - file name, value - file content) because it easy to extract such data usyn `yq` than trying to parse .env files.
 2026-02-13 09:12:31 +03:00
36 changed files with 1502 additions and 43 deletions
Expand all files Collapse all files

11
.sops.yaml
View File

@@ -1,6 +1,13 @@
creation_rules:
- path_regex: '(^|[\\/]).*\.sops\.ya?ml$'
- path_regex: '(^|[\\/]).*secrets\.sops\.env$'
age:
- age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk # me
- age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 # server
- path_regex: '(^|[\\/]).*secrets\.sops\.ya?ml$'
age:
- age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk # me
- age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 # server
- path_regex: '(^|[\\/]).*\.sops\.conf$'
age:
- age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk # me
- age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73 # server
encrypted_regex: '^(DB_PASSWORD|API_KEY)$'

49
hosts/home-morefine/docker/beszel/docker-compose.yaml Normal file
View File

@@ -0,0 +1,49 @@
services:
beszel:
image: henrygd/beszel
container_name: beszel
restart: unless-stopped
ports:
- "10.8.0.3:8090:8090"
- "127.0.0.1:8090:8090"
dns:
- 192.168.1.131 # pi-hole
networks:
- caddy_internal
volumes:
- /srv/rundata/beszel/beszel_data:/beszel_data
- /srv/rundata/beszel/beszel_socket:/beszel_socket
beszel-agent:
image: henrygd/beszel-agent-intel
container_name: beszel-agent
restart: unless-stopped
network_mode: host
devices:
- /dev/sda:/dev/sda
# - /dev/sdb:/dev/sdb #usb adapter - doesn't work
# - /dev/sdc:/dev/sdc #usb adapter - doуsn't work
- /dev/nvme0:/dev/nvme0
- /dev/dri/card0:/dev/dri/card0 # `ls /dev/dri` to find GPU name
cap_add:
- SYS_RAWIO # required for S.M.A.R.T. data
- SYS_ADMIN # required for NVMe S.M.A.R.T. data
- CAP_PERFMON # monitor intel gpu
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /srv/rundata/beszel/beszel_agent_data:/var/lib/beszel-agent
- /srv/rundata/beszel/beszel_socket:/beszel_socket
- /mnt/wd:/extra-filesystems/sdb1__wd:ro
- /media/vk/L200:/extra-filesystems/sdc1__l200:ro
- /run/secrets/beszel:/run/secrets/beszel:ro
# monitor other disks / partitions by mounting a folder in /extra-filesystems
# - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
environment:
LISTEN: /beszel_socket/beszel.sock
HUB_URL: http://localhost:8090
KEY_FILE: /run/secrets/beszel/AGENT_KEY
TOKEN_FILE: /run/secrets/beszel/AGENT_TOKEN
networks:
caddy_internal:
external: true

26
hosts/home-morefine/docker/beszel/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
AGENT_KEY: ENC[AES256_GCM,data:bkBSQmQ+atPeM6NR6xuCI1Pj18515W+N6aVGV1qj8FkqQdW9NDIuUFQo9avmOvuVBgEwEGjmYopg5HjeOKiNTY8vmTY2uX4ep2NPn+wXLjQ=,iv:Addanwsq3oWc577n4rI4aQrAKHhHwgU54qDRDQrNoY8=,tag:7kc4ekRW3NjGHgV0h0pRlA==,type:str]
AGENT_TOKEN: ENC[AES256_GCM,data:BThMKkVfuQPVrcWZyeCyX2zKB4zptIeRBy4aK3kpy4jYEJrR,iv:mf6QmzliYPmqSSm04POeAZ0vKKwUrg/BN/9T6trr2ec=,tag:HueCX4ET1qT+GCPltOiCAA==,type:str]
sops:
age:
- recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5YkhQajBITGFwa1AwNkpP
MHhwSWU3enNnTjhVMWtuNUR1cDFPSlVKRENvCmQxYnlpMHdYK0g1azNPdmVoQVBJ
ZGUyTXg4ZTJHTkRVV0ZqQVVJeGY4Y2cKLS0tIDZkS1hBM1FBbms3N3FUcHN2aXFM
SlNVeTR2MTdZUFNmdnhjMHhWaGUzbjAKjtHro6hKfxOtJrFvjTJOoT6Ao2vjvq3f
bupg08TbEdJogHQGi6wCwscCQiZm0UVLZoB5iVjLf5ybVP27CLEQMQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFaE5VV25xL0h1ZmVlQzQy
b0VkK0t2UmNYQjROcFJHaE5Xb2lHTmtzY1RrCnZhRVNnRThWTzRpUEFRdXgvSisr
TElKUTVQYndYTFkyOWFFbkRtUWlWdTQKLS0tIGJwVng5VWE3c2J6YVk5UVlNUnpj
ckRzeFdwblpGN1ViQVNyaXNpWE9ucDQK0s8x0C8C+Z+HnOUx05HyyPU2B1EM5g0o
RAPVXu3jh9wy8zFQYILDuvTg5kbWiH73r09hy26UN1aAXxeWf20ufQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T11:29:44Z"
mac: ENC[AES256_GCM,data:36trL0c3r10+PZdbiKm3NgN0BkJwbWGeOesSJlh/SvUTeO9TD09pdd4J/6J/NGTq8GXhGviCUnE0hT76GepgGh9GNvpQQHyRBPlygYjMeoj3mX07yY48SbQTxvpiSgBkhswlvQ4PbpMFOwyALv84ie7Dusfnp+S65RNFLPl4sVU=,iv:IE26s69HxkDOn3LfuXIEUBVpyoZeh5eq4LD8ZRnXqCs=,tag:DDB6MkHpRYbSFLO0ameLVw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

11
hosts/home-morefine/docker/caddy/Caddyfile
View File

@@ -38,10 +38,7 @@ drone.catmedved.com {
}
# F
files-minipc.catmedved.com {
reverse_proxy /outpost.goauthentik.io* https://auth.catmedved.com {
header_up Host {host}
}
filebrowser.catmedved.com {
reverse_proxy http://filebrowser:80
tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
}
@@ -106,6 +103,12 @@ photo.catmedved.com {
tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
}
# R
recepies.catmedved.com {
reverse_proxy http://mealie:9000
tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
}
# S
speedtest-minipc.catmedved.com {
reverse_proxy http://speedtest-tracker:80

23
hosts/home-morefine/docker/databasus/docker-compose.yaml Normal file
View File

@@ -0,0 +1,23 @@
services:
databasus:
container_name: databasus
restart: unless-stopped
image: databasus/databasus:latest
# ports:
# - "4005:4005"
volumes:
- /srv/rundata/databasus/databasus-data:/databasus-data
networks:
- caddy_internal
- immich_internal
- gitea_db_net
dns:
- 192.168.1.131 # pi-hole
networks:
caddy_internal:
external: true
immich_internal:
external: true
gitea_db_net:
external: true

20
hosts/home-morefine/docker/filebrowser/docker-compose.yaml Normal file
View File

@@ -0,0 +1,20 @@
services:
filebrowser:
container_name: filebrowser
image: filebrowser/filebrowser
networks:
- caddy_internal
dns:
- 192.168.1.131 # pi-hole
volumes:
- '/home/vk:/srv'
- '/srv/rundata/filebrowser/database/filebrowser.db:/database/database.db'
- '/srv/rundata/filebrowser/config:/config'
# - '/path/.filebrowser.json:/.filebrowser.json'
#user: $(id -u vk):$(id -g vk)
# ports:
# - '8077:80'
networks:
caddy_internal:
external: true

37
hosts/home-morefine/docker/gameyfin/docker-compose.yaml Normal file
View File

@@ -0,0 +1,37 @@
services:
gameyfin:
image: ghcr.io/gameyfin/gameyfin:2
container_name: gameyfin
restart: unless-stopped
networks:
- caddy_internal
dns:
- 192.168.1.131 # pi-hole
env_file:
- /run/secrets/gameyfin/secrets.env
environment:
# Generate a new APP_KEY using the command "openssl rand -base64 32" or similar.
#APP_KEY: secrets.sops.env
# (optional) Set the URL of your Gameyfin instance if you are using a reverse proxy.
# Currently, this is only used for generating links in notification emails and the log line at first run.
APP_URL: https://gameyfin.catmedved.com
# (optional) Set the user and group ID to run Gameyfin with a specific user.
PUID: 1000 # Change this to your user ID if needed
PGID: 1000 # Change this to your group ID if needed
volumes:
- "/srv/rundata/gameyfin/container_data/db:/opt/gameyfin/db"
- "/srv/rundata/gameyfin/container_data/data:/opt/gameyfin/data"
- "/srv/rundata/gameyfin/container_data/plugindata:/opt/gameyfin/plugindata"
- "/srv/rundata/gameyfin/container_data/logs:/opt/gameyfin/logs"
- "/mnt/wd/Games:/opt/gameyfin-library/Games"
ports:
- "10.8.0.3:8080:8080"
# If you plan to use the included torrent plugin, uncomment the following lines:
# - "6969:6969"
networks:
caddy_internal:
name: caddy_internal
external: true

9
hosts/home-morefine/docker/gameyfin/secrets.sops.env Normal file
View File

@@ -0,0 +1,9 @@
APP_KEY=ENC[AES256_GCM,data:wDd12E91WMFdRMrZtDcas/z+u2qbst+hU+fRQg/h4s6CA/oCV+5M96b/eyY=,iv:g6hWc9gJIQWhNCRhmKHclBlsafOOkKjxUbQjC/Luy2g=,tag:f21dWkg1aqiKcBbeCi0kLg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTm9WVFhyeTQxRG9VZ1pQ\nb290ODZ4ZWxrUmFJY3JRZjFmQkMrOXcvUVNvClZxV2tjZEZjTktrSkFQNUpSZXpP\nQkhEMkxuWEpYT0xvdk5YbThVNGpNSjQKLS0tIHVMTXdFM0c2UlFaOHZSaDVWb1la\ndzIveWloUHJSKzhRY0lKUTFIYWpCVDQK4TkQ7P6Qe3zQfs2Y/HEYv1TMgufocIrK\nW85qPwEj8MXabxLHh9AHLbklxdFRJRRYb2TtLJGoLwfIWX3Y6tUmrQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dFJiUXBrOEpGSG0xdVh1\ncnBKM3cyN3ZoZWFSMmYrRUVBZGJvT0dTTzBnCjdBdGxqREEvQ0xyUjZHVXRteXQz\ndnhOV1YyM1BnNSszekljZWFMZjZ0dDgKLS0tIFc2L0dqTjNIcjFjbHJvd3daMzJ5\nL3dXWVMwSk9FUGcreFBoeXZ0UFpRdjQKi1PWuQ0v6w8ujggIm1Tn++YqIbDOdrLq\n5mrJ//qJIubV4ICANSWOw98EHbjdZrfMhCSj2HUMvL2r8VwL993o9Q==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
sops_lastmodified=2026-02-13T10:52:22Z
sops_mac=ENC[AES256_GCM,data:+0bw+vKjn5yu8fSUIm+skFg2l0hHD0TQ518AyFmzZag4bdrqOfJFYnYuW0OWbhAgPcEfIulyIdGb6wc4J3AJDYTdWbNLiXdJMdE20JoIKe8vsqutx2VZI4gwXT6xfnbKoznBo0EqkoKPvrdE4FsaAk/NRQ8ib4Nxpd7XFBWVu7o=,iv:9Tsr8cE5xqH6aPSL1wnPSwiK2WkG5kSHV9sPaynVntQ=,tag:pF9vzIOh8ZWBBjZXpBvG9g==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.11.0

18
hosts/home-morefine/docker/gitea/.env Normal file
View File

@@ -0,0 +1,18 @@
# Host git user. Owns git repo. Used for Ssh
USER=git
USER_UID=134
USER_GID=139
GITEA__DATABASE__DB_TYPE=postgres
GITEA__DATABASE__HOST=gitea_db:5432
GITEA__DATABASE__NAME=gitea
GITEA__DATABASE__USER=gitea
#GITEA__DATABASE__PASSWD=secrets.sops.yaml
GITEA__MAILER__ENABLED=true
GITEA__MAILER__FROM=gitea@catmedved.com
GITEA__MAILER__PROTOCOL=smtp+starttls
GITEA__MAILER__SMTP_PORT=587
GITEA__MAILER__SMTP_ADDR=smtp.fastmail.com
#GITEA__MAILER__USER=secrets.sops.yaml
#GITEA__MAILER__PASSWD=secrets.sops.yaml

64
hosts/home-morefine/docker/gitea/docker-compose.yaml Normal file
View File

@@ -0,0 +1,64 @@
services:
gitea:
image: gitea/gitea:latest
container_name: gitea
env_file:
- .env
environment:
GITEA__DATABASE__PASSWD__FILE: /run/secrets/GITEA__DATABASE__PASSWD
GITEA__MAILER__USER__FILE: /run/secrets/GITEA__MAILER__USER
GITEA__MAILER__PASSWD__FILE: /run/secrets/GITEA__MAILER__PASSWD
restart: unless-stopped
networks:
- caddy_internal
- gitea_db_net
volumes:
- /srv/rundata/gitea/data:/data
# `authorized_keys` file is shared between the host git user and the container git user
- /home/git/.ssh:/data/git/.ssh
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
# SSHing Shim (with authorized_keys)
- "127.0.0.1:2222:22"
depends_on:
- gitea_db
dns:
- 192.168.1.131 # host pi-hole
secrets:
- GITEA__DATABASE__PASSWD
- GITEA__MAILER__USER
- GITEA__MAILER__PASSWD
gitea_db:
image: postgres:14
container_name: gitea_pg_db
restart: unless-stopped
environment:
USER_UID: ${USER_UID}
USER_GID: ${USER_GID}
POSTGRES_USER: ${GITEA__DATABASE__USER}
POSTGRES_DB: ${GITEA__DATABASE__NAME}
POSTGRES_PASSWORD_FILE: /run/secrets/GITEA__DATABASE__PASSWD
networks:
- gitea_db_net
volumes:
- /srv/rundata/gitea/postgres:/var/lib/postgresql/data
secrets:
- GITEA__DATABASE__PASSWD
networks:
caddy_internal:
name: caddy_internal
external: true
gitea_db_net:
name: gitea_db_net
internal: true
secrets:
GITEA__DATABASE__PASSWD:
file: /run/secrets/gitea/GITEA__DATABASE__PASSWD
GITEA__MAILER__USER:
file: /run/secrets/gitea/GITEA__MAILER__USER
GITEA__MAILER__PASSWD:
file: /run/secrets/gitea/GITEA__MAILER__PASSWD

632
hosts/home-morefine/docker/gitea/install-with-docker-v1.19.md Normal file
View File

@@ -0,0 +1,632 @@
---
date: "2020-03-19T19:27:00+02:00"
title: "Installation with Docker"
slug: "install-with-docker"
sidebar_position: 70
toc: false
draft: false
menu:
sidebar:
parent: "installation"
name: "With Docker"
sidebar_position: 70
identifier: "install-with-docker"
---
# Installation with Docker
Gitea provides automatically updated Docker images within its Docker Hub organization. It is
possible to always use the latest stable tag or to use another service that handles updating
Docker images.
This reference setup guides users through the setup based on `docker-compose`, but the installation
of `docker-compose` is out of scope of this documentation. To install `docker-compose` itself, follow
the official [install instructions](https://docs.docker.com/compose/install/).
## Basics
The most simple setup just creates a volume and a network and starts the `gitea/gitea:latest`
image as a service. Since there is no database available, one can be initialized using SQLite3.
Create a directory like `gitea` and paste the following content into a file named `docker-compose.yml`.
Note that the volume should be owned by the user/group with the UID/GID specified in the config file.
If you don't give the volume correct permissions, the container may not start.
For a stable release you can use `:latest`, `:1` or specify a certain release like `:@version@`, but if you'd like to use the latest development version of Gitea then you could use the `:nightly` tag. If you'd like to run the latest commit from a release branch you can use the `:1.x-nightly` tag, where x is the minor version of Gitea. (e.g. `:1.16-nightly`)
```yaml
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:@version@
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
networks:
- gitea
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
```
## Ports
To bind the integrated OpenSSH daemon and the webserver on a different port, adjust
the port section. It's common to just change the host port and keep the ports within
the container like they are.
```diff
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:@version@
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
networks:
- gitea
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- - "3000:3000"
- - "222:22"
+ - "8080:3000"
+ - "2221:22"
```
## Databases
### MySQL database
To start Gitea in combination with a MySQL database, apply these changes to the
`docker-compose.yml` file created above.
```diff
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:@version@
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
+ - GITEA__database__DB_TYPE=mysql
+ - GITEA__database__HOST=db:3306
+ - GITEA__database__NAME=gitea
+ - GITEA__database__USER=gitea
+ - GITEA__database__PASSWD=gitea
restart: always
networks:
- gitea
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
+ depends_on:
+ - db
+
+ db:
+ image: mysql:8
+ restart: always
+ environment:
+ - MYSQL_ROOT_PASSWORD=gitea
+ - MYSQL_USER=gitea
+ - MYSQL_PASSWORD=gitea
+ - MYSQL_DATABASE=gitea
+ networks:
+ - gitea
+ volumes:
+ - ./mysql:/var/lib/mysql
```
### PostgreSQL database
To start Gitea in combination with a PostgreSQL database, apply these changes to
the `docker-compose.yml` file created above.
```diff
version: "3"
networks:
gitea:
external: false
services:
server:
image: gitea/gitea:@version@
container_name: gitea
environment:
- USER_UID=1000
- USER_GID=1000
+ - GITEA__database__DB_TYPE=postgres
+ - GITEA__database__HOST=db:5432
+ - GITEA__database__NAME=gitea
+ - GITEA__database__USER=gitea
+ - GITEA__database__PASSWD=gitea
restart: always
networks:
- gitea
volumes:
- ./gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
+ depends_on:
+ - db
+
+ db:
+ image: postgres:14
+ restart: always
+ environment:
+ - POSTGRES_USER=gitea
+ - POSTGRES_PASSWORD=gitea
+ - POSTGRES_DB=gitea
+ networks:
+ - gitea
+ volumes:
+ - ./postgres:/var/lib/postgresql/data
```
## Named volumes
To use named volumes instead of host volumes, define and use the named volume
within the `docker-compose.yml` configuration. This change will automatically
create the required volume. You don't need to worry about permissions with
named volumes; Docker will deal with that automatically.
```diff
version: "3"
networks:
gitea:
external: false
+volumes:
+ gitea:
+ driver: local
+
services:
server:
image: gitea/gitea:@version@
container_name: gitea
restart: always
networks:
- gitea
volumes:
- - ./gitea:/data
+ - gitea:/data
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
ports:
- "3000:3000"
- "222:22"
```
MySQL or PostgreSQL containers will need to be created separately.
## Startup
To start this setup based on `docker-compose`, execute `docker-compose up -d`,
to launch Gitea in the background. Using `docker-compose ps` will show if Gitea
started properly. Logs can be viewed with `docker-compose logs`.
To shut down the setup, execute `docker-compose down`. This will stop
and kill the containers. The volumes will still exist.
Notice: if using a non-3000 port on http, change app.ini to match
`LOCAL_ROOT_URL = http://localhost:3000/`.
## Installation
After starting the Docker setup via `docker-compose`, Gitea should be available using a
favorite browser to finalize the installation. Visit http://server-ip:3000 and follow the
installation wizard. If the database was started with the `docker-compose` setup as
documented above, please note that `db` must be used as the database hostname.
## Configure the user inside Gitea using environment variables
- `USER`: **git**: The username of the user that runs Gitea within the container.
- `USER_UID`: **1000**: The UID (Unix user ID) of the user that runs Gitea within the container. Match this to the UID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
- `USER_GID`: **1000**: The GID (Unix group ID) of the user that runs Gitea within the container. Match this to the GID of the owner of the `/data` volume if using host volumes (this is not necessary with named volumes).
## Customization
Customization files described [here](https://docs.gitea.io/en-us/customizing-gitea/) should
be placed in `/data/gitea` directory. If using host volumes, it's quite easy to access these
files; for named volumes, this is done through another container or by direct access at
`/var/lib/docker/volumes/gitea_gitea/_data`. The configuration file will be saved at
`/data/gitea/conf/app.ini` after the installation.
## Upgrading
:exclamation::exclamation: **Make sure you have volumed data to somewhere outside Docker container** :exclamation::exclamation:
To upgrade your installation to the latest release:
```bash
# Edit `docker-compose.yml` to update the version, if you have one specified
# Pull new images
docker-compose pull
# Start a new container, automatically removes old one
docker-compose up -d
```
## Managing Deployments With Environment Variables
In addition to the environment variables above, any settings in `app.ini` can be set or overridden with an environment variable of the form: `GITEA__SECTION_NAME__KEY_NAME`. These settings are applied each time the docker container starts. Full information [here](https://github.com/go-gitea/gitea/tree/master/contrib/environment-to-ini).
These environment variables can be passed to the docker container in `docker-compose.yml`. The following example will enable an smtp mail server if the required env variables `GITEA__mailer__FROM`, `GITEA__mailer__HOST`, `GITEA__mailer__PASSWD` are set on the host or in a `.env` file in the same directory as `docker-compose.yml`:
```bash
...
services:
server:
environment:
- GITEA__mailer__ENABLED=true
- GITEA__mailer__FROM=${GITEA__mailer__FROM:?GITEA__mailer__FROM not set}
- GITEA__mailer__MAILER_TYPE=smtp
- GITEA__mailer__HOST=${GITEA__mailer__HOST:?GITEA__mailer__HOST not set}
- GITEA__mailer__IS_TLS_ENABLED=true
- GITEA__mailer__USER=${GITEA__mailer__USER:-apikey}
- GITEA__mailer__PASSWD="""${GITEA__mailer__PASSWD:?GITEA__mailer__PASSWD not set}"""
```
Gitea will generate new secrets/tokens for every new installation automatically and write them into the app.ini. If you want to set the secrets/tokens manually, you can use the following docker commands to use of Gitea's built-in [generate utility functions](https://docs.gitea.io/en-us/command-line/#generate). Do not lose/change your SECRET_KEY after the installation, otherwise the encrypted data can not be decrypted anymore.
The following commands will output a new `SECRET_KEY` and `INTERNAL_TOKEN` to `stdout`, which you can then place in your environment variables.
```bash
docker run -it --rm gitea/gitea:1 gitea generate secret SECRET_KEY
docker run -it --rm gitea/gitea:1 gitea generate secret INTERNAL_TOKEN
```
```yaml
...
services:
server:
environment:
- GITEA__security__SECRET_KEY=[value returned by generate secret SECRET_KEY]
- GITEA__security__INTERNAL_TOKEN=[value returned by generate secret INTERNAL_TOKEN]
```
## SSH Container Passthrough
Since SSH is running inside the container, SSH needs to be passed through from the host to the container if SSH support is desired. One option would be to run the container SSH on a non-standard port (or moving the host port to a non-standard port). Another option which might be more straightforward is for Gitea users to ssh to a Gitea user on the host which will then relay those connections to the docker.
### Understanding SSH access to Gitea (without passthrough)
To understand what needs to happen, you first need to understand what happens without passthrough. So we will try to explain this:
1. The client adds their SSH public key to Gitea using the webpage.
2. Gitea will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
3. This entry has the public key, but also has a `command=` option. It is this command that Gitea uses to match this key to the client user and manages authentication.
4. The client then makes an SSH request to the SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
5. The client will attempt to authenticate with the server, passing one or more public keys one at a time to the server.
6. For each key the client provides, the SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the `git` user's `authorized_keys` file.
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
8. The SSH server creates a user session for the `git` user, and using the shell for the `git` user runs the `command=`
9. This runs `gitea serv` which takes over control of the rest of the SSH session and manages gitea authentication & authorization of the git commands.
Now, for the SSH passthrough to work, we need the host SSH to match the public keys and then run the `gitea serv` on the docker. There are multiple ways of doing this. However, all of these require some information about the docker being passed to the host.
### SSHing Shim (with authorized_keys)
In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 9 the `gitea` command that the host runs is a shim that actually runs ssh to go into the docker and then run the real docker `gitea` itself.
- To make the forwarding work, the SSH port of the container (22) needs to be mapped to the host port 2222 in `docker-compose.yml` . Since this port does not need to be exposed to the outside world, it can be mapped to the `localhost` of the host machine:
```yaml
ports:
# [...]
- "127.0.0.1:2222:22"
```
- Next on the host create the `git` user which shares the same `UID`/ `GID` as the container values `USER_UID`/ `USER_GID`. These values can be set as environment variables in the `docker-compose.yml`:
```yaml
environment:
- USER_UID=1000
- USER_GID=1000
```
- Mount `/home/git/.ssh` of the host into the container. This ensures that the `authorized_keys` file is shared between the host `git` user and the container `git` user otherwise the SSH authentication cannot work inside the container.
```yaml
volumes:
- /home/git/.ssh/:/data/git/.ssh
```
- Now a SSH key pair needs to be created on the host. This key pair will be used to authenticate the `git` user on the host to the container. As an administrative user on the host run: (by administrative user we mean a user that can sudo to root)
```bash
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key"
```
- Please note depending on the local version of ssh you may want to consider using `-t ecdsa` here.
- `/home/git/.ssh/authorized_keys` on the host now needs to be modified. It needs to act in the same way as `authorized_keys` within the Gitea container. Therefore add the public key of the key you created above ("Gitea Host Key") to `~/git/.ssh/authorized_keys`. As an administrative user on the host run:
```bash
sudo -u git cat /home/git/.ssh/id_rsa.pub | sudo -u git tee -a /home/git/.ssh/authorized_keys
sudo -u git chmod 600 /home/git/.ssh/authorized_keys
```
Important: The pubkey from the `git` user needs to be added "as is" while all other pubkeys added via the Gitea web interface will be prefixed with `command="/usr [...]`.
`/home/git/.ssh/authorized_keys` should then look somewhat like
```bash
# SSH pubkey from git user
ssh-rsa <Gitea Host Key>
# other keys from users
command="/usr/local/bin/gitea --config=/data/gitea/conf/app.ini serv key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <user pubkey>
```
- The next step is to create the fake host `gitea` command that will forward commands from the host to the container. The name of this file depends on your version of Gitea:
- For Gitea v1.16.0+. As an administrative user on the host run:
```bash
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea
```
Here is a detailed explanation what is happening when a SSH request is made:
1. The client adds their SSH public key to Gitea using the webpage.
2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
- However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too.
3. This entry has the public key, but also has a `command=` option.
- This command matches the location of the Gitea binary on the container, but also the location of the shim on the host.
4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
- Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
9. This means that the host runs the host `/usr/local/bin/gitea` shim that opens an SSH from the host to container passing the rest of the command arguments directly to `/usr/local/bin/gitea` on the container.
10. Meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
**Notes**
SSH container passthrough using `authorized_keys` will work only if
- `opensshd` is used in the container
- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
- `LOCAL_ROOT_URL` is not changed (depending on the changes)
If you try to run `gitea` on the host, you will attempt to ssh to the container and thence run the `gitea` command there.
Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
### SSHing Shell (with authorized_keys)
In this option, the idea is that the host simply uses the `authorized_keys` that gitea creates but at step 8 above we change the shell that the host runs to ssh directly into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`.
- In this case we setup as per SSHing Shim except instead of creating `/usr/local/bin/gitea`
we create a new shell for the git user. As an administrative user on the host run:
```bash
cat <<"EOF" | sudo tee /home/git/ssh-shell
#!/bin/sh
shift
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $@"
EOF
sudo chmod +x /home/git/ssh-shell
sudo usermod -s /home/git/ssh-shell git
```
Be careful here - if you try to login as the git user in future you will ssh directly to the docker.
Here is a detailed explanation what is happening when a SSH request is made:
1. The client adds their SSH public key to Gitea using the webpage.
2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
- However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too.
3. This entry has the public key, but also has a `command=` option.
- This command matches the location of the Gitea binary on the container.
4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
- Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
9. The shell of the host `git` user is now our `ssh-shell` which opens an SSH connection from the host to container, (which opens a shell on the container for the container `git`).
10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
**Notes**
SSH container passthrough using `authorized_keys` will work only if
- `opensshd` is used in the container
- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
- `LOCAL_ROOT_URL` is not changed (depending on the changes)
If you try to login as the `git` user on the host in future you will ssh directly to the docker.
Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
### Docker Shell (with authorized_keys)
Similar to the above ssh shell technique we can use a shell which simply uses `docker exec`. As an administrative user on the host run:
```bash
cat <<"EOF" | sudo tee /home/git/docker-shell
#!/bin/sh
/usr/bin/docker exec -i -u git --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"
EOF
sudo chmod +x /home/git/docker-shell
sudo usermod -s /home/git/docker-shell git
```
Here is a detailed explanation what is happening when a SSH request is made:
1. The client adds their SSH public key to Gitea using the webpage.
2. Gitea in the container will add an entry for this key to the `.ssh/authorized_keys` file of its running user, `git`.
- However, because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key has been added to the host `git` user's `authorized_keys` file too.
3. This entry has the public key, but also has a `command=` option.
- This command matches the location of the Gitea binary on the container.
4. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
5. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
6. For each key the client provides, the host SSH server will first check its configuration for an `AuthorizedKeysCommand` to see if the public key matches, and then the host `git` user's `authorized_keys` file.
- Because `/home/git/.ssh/` on the host is mounted as `/data/git/.ssh` this means that the key they added to the Gitea web will be found
7. The first entry that matches will be selected, and assuming this is a Gitea entry, the `command=` will now be executed.
8. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`
9. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container.
10. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
Note that `gitea` in the docker command above is the name of the container. If you named yours differently, don't forget to change that. The host `git` user also has to have
permission to run `docker exec`.
**Notes**
Docker shell passthrough using `authorized_keys` will work only if
- `opensshd` is used in the container
- if `AuthorizedKeysCommand` is _not used_ in combination with `SSH_CREATE_AUTHORIZED_KEYS_FILE=false` to disable authorized files key generation
- `LOCAL_ROOT_URL` is not changed (depending on the changes)
If you try to login as the `git` user on the host in future you will `docker exec` directly to the docker.
A Docker execing shim could be created similarly to above.
### Docker Shell with AuthorizedKeysCommand
The AuthorizedKeysCommand route provides another option that does not require many changes to the compose file or the `authorized_keys` - but does require changes to the host `/etc/sshd_config`.
In this option, the idea is that the host SSH uses an `AuthorizedKeysCommand` instead of relying on sharing the `authorized_keys` file that gitea creates. We continue to use a special shell at step 8 above to exec into the docker and then run the shell there. This means that the `gitea` that is then run is the real docker `gitea`.
- On the host create a `git` user with permission to run `docker exec`.
- We will again assume that the Gitea container is called `gitea`.
- Modify the `git` user's shell to forward commands to the `sh` executable inside the container using `docker exec`. As an administrative user on the host run:
```bash
cat <<"EOF" | sudo tee /home/git/docker-shell
#!/bin/sh
/usr/bin/docker exec -i --env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" gitea sh "$@"
EOF
sudo chmod +x /home/git/docker-shell
sudo usermod -s /home/git/docker-shell git
```
Now all attempts to login as the `git` user on the host will be forwarded to the docker - including the `SSH_ORIGINAL_COMMAND`. We now need to set-up SSH authentication on the host.
We will do this by leveraging the [SSH AuthorizedKeysCommand](https://docs.gitea.io/en-us/command-line/#keys) to match the keys against those accepted by Gitea.
Add the following block to `/etc/ssh/sshd_config`, on the host:
```bash
Match User git
AuthorizedKeysCommandUser git
AuthorizedKeysCommand /usr/bin/docker exec -i gitea /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
```
(From 1.16.0 you will not need to set the `-c /data/gitea/conf/app.ini` option.)
Finally restart the SSH server. As an administrative user on the host run:
```bash
sudo systemctl restart sshd
```
Here is a detailed explanation what is happening when a SSH request is made:
1. The client adds their SSH public key to Gitea using the webpage.
2. Gitea in the container will add an entry for this key to its database.
3. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
4. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
5. For each key the client provides, the host SSH server will checks its configuration for an `AuthorizedKeysCommand`.
6. The host runs the above `AuthorizedKeysCommand`, which execs in to the docker and then runs the `gitea keys` command.
7. Gitea on the docker will look in it's database to see if the public key matches and will return an entry like that of an `authorized_keys` command.
8. This entry has the public key, but also has a `command=` option which matches the location of the Gitea binary on the container.
9. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`.
10. The shell of the host `git` user is now our `docker-shell` which uses `docker exec` to open a shell for the `git` user on the container.
11. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
**Notes**
Docker shell passthrough using `AuthorizedKeysCommand` will work only if
- The host `git` user is allowed to run the `docker exec` command.
If you try to login as the `git` user on the host in future you will `docker exec` directly to the docker.
A Docker execing shim could be created similarly to above.
### SSH Shell with AuthorizedKeysCommand
Create a key for the host `git` user as above, add it to the docker `/data/git/.ssh/authorized_keys` then finally create and set the `ssh-shell` as above.
Add the following block to `/etc/ssh/sshd_config`, on the host:
```bash
Match User git
AuthorizedKeysCommandUser git
AuthorizedKeysCommand /usr/bin/ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 /usr/local/bin/gitea keys -c /data/gitea/conf/app.ini -e git -u %u -t %t -k %k
```
(From 1.16.0 you will not need to set the `-c /data/gitea/conf/app.ini` option.)
Finally restart the SSH server. As an administrative user on the host run:
```bash
sudo systemctl restart sshd
```
Here is a detailed explanation what is happening when a SSH request is made:
1. The client adds their SSH public key to Gitea using the webpage.
2. Gitea in the container will add an entry for this key to its database.
3. The client then makes an SSH request to the host SSH server using the `git` user, e.g. `git clone git@domain:user/repo.git`.
4. The client will attempt to authenticate with the server, passing one or more public keys in turn to the host.
5. For each key the client provides, the host SSH server will checks its configuration for an `AuthorizedKeysCommand`.
6. The host runs the above `AuthorizedKeysCommand`, which will SSH in to the docker and then run the `gitea keys` command.
7. Gitea on the docker will look in it's database to see if the public key matches and will return an entry like that of an `authorized_keys` command.
8. This entry has the public key, but also has a `command=` option which matches the location of the Gitea binary on the container.
9. The host SSH server creates a user session for the `git` user, and using the shell for the host `git` user runs the `command=`.
10. The shell of the host `git` user is now our `git-shell` which uses SSH to open a shell for the `git` user on the container.
11. The container shell now runs the `command=` option meaning that the container `gitea serv` is run, taking over control of the rest of the SSH session and managing gitea authentication & authorization of the git commands.
**Notes**
SSH container passthrough using `AuthorizedKeysCommand` will work only if
- `opensshd` is running on the container
If you try to login as the `git` user on the host in future you will `ssh` directly to the docker.
Never add the `Gitea Host Key` as a SSH key to a user on the Gitea interface.
SSHing shims could be created similarly to above.

11
hosts/home-morefine/docker/gitea/secrets.sops.env Normal file
View File

@@ -0,0 +1,11 @@
GITEA__DATABASE__PASSWD=ENC[AES256_GCM,data:MXvGPgNtBYhm+6K4,iv:yPKVBAbx+C2Sg40C27bU1S59GF62oK5ON57BiMkc2PE=,tag:q1LQA6oPAei0zBCOLNCXcA==,type:str]
GITEA__MAILER__USER=ENC[AES256_GCM,data:pmX02eG9T2u44g5fADVOPmtr,iv:cGr4PF7p9apeyQ0AzstESZ38hE33YL7ISKbqR3bxc1o=,tag:uMwBTvyCMXhlPEsERH4CCw==,type:str]
GITEA__MAILER__PASSWD=ENC[AES256_GCM,data:V3Q/B1RXqBrqyrk/3mrPMQ==,iv:dkFVuC6zFh0lE4C5Cbo0BDplx4gnJxCZWeuAGb/AHm0=,tag:YaV+Z+MYn6Sl0BsB5n5cYQ==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQVA0U24xcTk2UDdOdnlz\nYnk0UHZ1T1BVcEJwN2ExVmlQLzRFdk10dkRFClN3SWkrakxLOEo0T0hwK2ZhaEdI\nNnFYM1kvZGhDL3lEZlUwbnZXbFRpWEUKLS0tIHRseWVwNUIwREFFMXdGbjY0VVF1\nSnY1cVdKQWxuUFJCTzdrWVNhcThhQ1EKPXVMMmutPt2wF6aJCA++3r4o1b+bMXUn\nfHw4Sx8ZhcGoMfN35dGGODLwpd1ZwpanVyjme3YjRytitT0UIXayXg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNNEVaWjcxT3JxenE5MTRJ\nQXM2TWFCbm1pZHpESzB0M1lHdGphL2JYTUVJCjdnTHkra3lubkhRblhtVWZnM3Z6\nQzFsc2t0a1BRcHdyT2RDYmFpc1R1VlUKLS0tIGtCYmNYcCtaUW5abjA2OVFzNjBU\neGNlZ1FEeWQ3aVYzdmsveUFnMXgvMlUKloULOaPVfDlwaq0Mf9VB08+ySUqaINen\niMJe2XOqVYflJNn334yuuLfnC5lTeowkCedFd4BlS1TxNld+64ewLw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
sops_lastmodified=2026-02-12T08:48:06Z
sops_mac=ENC[AES256_GCM,data:1RngTw6NF9uPiIfCFQjjjzyVFaEpXJBeeL3VmbtKhQMTTPC415Ozuqk79GOhVBn6asSoa0GYMwMtrRMasVNYdxpuMCmYSmfQU+P7OjZyYqRKY+53Bur+C7uJnzKk/FIE4E5/vfk10OZ4MongW7Vk9YHcbg4cRPS/Tjk5znkHjDQ=,iv:+wPd1yxadhjsNesC501Rfl3IHFICy9HdgZX8DYiBh5M=,tag:FBFtY8bCfXEj4RAjSLSvvQ==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.11.0

27
hosts/home-morefine/docker/gitea/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,27 @@
GITEA__DATABASE__PASSWD: ENC[AES256_GCM,data:oz74ifdKLHoMwVPi,iv:FO4sQtxeZnS6rLdKNiYV7BQzD/CYxS0cFLOY6XlMN1o=,tag:RQWrFLeRGNLgIPOwqdQn3Q==,type:str]
GITEA__MAILER__USER: ENC[AES256_GCM,data:ncQqsxcGSa6IOgZQrF6DJWbC,iv:DUbefGGFVTauVnsHCEeYudC+remQ7KKj0VPlta5falo=,tag:hVil4jjuTujXs4Ni4GiP5g==,type:str]
GITEA__MAILER__PASSWD: ENC[AES256_GCM,data:mPTwvEpuiOZS5s18KNykWA==,iv:vU7ixAiFZ0R4JxIPcvKUXG6xFUxXrCfQu5nXUUP592E=,tag:KwKlT+wfghUnraVT4f90Lg==,type:str]
sops:
age:
- recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsa2xqVkU5TDg5anZnK3lG
S2JOamZkVmpxQjI1SW9rMm5scVNSM0lsNUNJCjViU3ZlcWI0dnBUUUd5NjRhQUtz
TUNoTTRYZy9yZmdCdzg3M0pGci96NlUKLS0tIGM3RjlmZXI0YmhsYTdQMDNwNkpy
cXYrbWFhQUlWUDg4SWl1R0R1VGFtTW8K/lOkbAEAzA7aGkMj+9v3Vny1SMleyfl2
M1BRsK3M6LA4o3nEjvf0z69pmUvElWe0yzlGJg5QKHucxnfn4ke80g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6WWhCZy9KYy85Tlk0WVVp
TWV1ZHVkUTcwNGpNK3FkbnowRFQ4MFFTeHlrCnU0RXZkZEkrZ25tY2dLbDMvdXNU
NW5zSTl4eXBkNC9KUS82c2k0bDBtZTQKLS0tIDdIcXROVElWNjhmU3U5NHVQWjha
cjVDblpqVUtBYUQwR3RCVzdLSmgrMU0KELylj3gznnKe6vHrnBCl/EqLt2l0ekKC
PAEF0LsOhhbJWmjmjU8T3K73Bp25HMp6Pv/Yvt6VLwUqvzuZYxWyYg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T09:40:36Z"
mac: ENC[AES256_GCM,data:JrHRcLxlCBnzFr3QdfBpv3sEGqSgT8CSMIUyUSQAmH/XT1fqYL8gQMpjjjSvKFfDUNDDdG/3hRzo1d0QbflxXRWbuRwdeBgfNnjMr+gA7abQDcZkfloWu2mjXWvhKLfB/8pj9pvQtsXjL8FmHT3f8Tqwhu7kGY+JyF0a+drXckc=,iv:YOgI17N2FfTtW+Qvnq6M/EqTTBbFRu9oKdOH/r3SSNk=,tag:J1k+p/guQLAYctafaxDKUQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

21
hosts/home-morefine/docker/glances/docker-compose.yaml Normal file
View File

@@ -0,0 +1,21 @@
services:
glances:
container_name: glances
networks:
- caddy_internal
hostname: lab-home-morefin
restart: always
ports:
- '61208-61209:61208-61209'
environment:
- TZ=Europe/Minsk
- "GLANCES_OPT=-w"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/os-release:/etc/os-release:ro
pid: host
image: 'nicolargo/glances:latest-full'
networks:
caddy_internal:
external: true

27
hosts/home-morefine/docker/homepage/config/services.yaml
View File

@@ -35,12 +35,12 @@
statusStyle: 'dot'
- Toolkit:
- Librechat:
href: https://ai.catmedved.com/
description: LibreChat AI
icon: librechat.png
siteMonitor: http://librechat:3080
statusStyle: 'dot'
# - Librechat:
# href: https://ai.catmedved.com/
# description: LibreChat AI
# icon: librechat.png
# siteMonitor: http://librechat:3080
# statusStyle: 'dot'
- Databasus:
href: https://databasus.catmedved.com/
description: DB Backups
@@ -63,7 +63,7 @@
href: https://gitea.catmedved.com/
description: Gitea private git
icon: gitea.png
siteMonitor: http://gitea.catmedved.com:80
siteMonitor: http://gitea:3000
statusStyle: 'dot'
- Vaultwarden:
href: https://passwords.catmedved.com/
@@ -80,10 +80,10 @@
icon: beszel.png
siteMonitor: http://beszel:8090
statusStyle: 'dot'
- Auth:
href: https://auth.catmedved.com/
description: Authentik
icon: authentik.png
# - Auth:
# href: https://auth.catmedved.com/
# description: Authentik
# icon: authentik.png
# siteMonitor: http://authentik_server:9000/outpost.goauthentik.io/ping
# statusStyle: 'dot'
- Pi-Hole:
@@ -111,3 +111,8 @@
url: http://glances:61208
metric: info
- Servces:
- Fastmail:
href: https://app.fastmail.com/mail/Inbox/?u=80f94011
description: Fastmail
icon: fastmail.png

31
hosts/home-morefine/docker/immich/docker-compose.yml
View File

@@ -25,6 +25,7 @@ services:
- .env
environment:
DB_PASSWORD_FILE: /run/secrets/DB_PASSWORD
REDIS_HOSTNAME: immich_redis
ports:
- '10.8.0.3:2283:2283'
depends_on:
@@ -33,12 +34,14 @@ services:
restart: always
secrets:
- DB_PASSWORD
#healthcheck:
# disable: false
healthcheck:
disable: false
immich-machine-learning:
networks:
- immich_internal
dns:
- 192.168.1.131 # pi-hole
container_name: immich_machine_learning
# For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
# Example tag: ${IMMICH_VERSION:-release}-cuda
@@ -51,14 +54,14 @@ services:
env_file:
- .env
restart: always
#healthcheck:
# disable: false
healthcheck:
disable: false
redis:
container_name: immich_redis
image: docker.io/valkey/valkey:9@sha256:546304417feac0874c3dd576e0952c6bb8f06bb4093ea0c9ca303c73cf458f63
networks:
- immich_internal
container_name: immich_redis
image: docker.io/redis:6.2-alpine@sha256:148bb5411c184abd288d9aaed139c98123eeb8824c5d3fce03cf721db58066d8
healthcheck:
test: redis-cli ping || exit 1
restart: always
@@ -70,17 +73,19 @@ services:
POSTGRES_USER: ${DB_USERNAME}
POSTGRES_DB: ${DB_DATABASE_NAME}
POSTGRES_INITDB_ARGS: '--data-checksums'
#healthcheck:
# test: [ "CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME}" ]
# interval: 30s
# timeout: 10s
# retries: 3
image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME} -d ${DB_DATABASE_NAME} -h 127.0.0.1 || exit 1"]
interval: 30s
timeout: 5s
retries: 5
start_period: 40s
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
networks:
- immich_internal
restart: always
secrets:
- DB_PASSWORD
shm_size: 256mb
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- ${DB_DATA_LOCATION}:/var/lib/postgresql/data
@@ -93,4 +98,4 @@ networks:
secrets:
DB_PASSWORD:
file: /run/secrets/immich/DB_PASSWORD
file: /run/secrets/immich/DB_PASSWORD

11
hosts/home-morefine/docker/mealie/.env Normal file
View File

@@ -0,0 +1,11 @@
# apps user
PUID=995
PGID=995
TZ=Europe/Minsk
BASE_URL=https://recepies.catmedved.com
ALLOW_SIGNUP=true
SMTP_HOST=smtp.fastmail.com
SMTP_PORT=587
SMTP_FROM_NAME=Mealie
SMTP_AUTH_STRATEGY=TLS

43
hosts/home-morefine/docker/mealie/docker-compose.yaml Normal file
View File

@@ -0,0 +1,43 @@
services:
mealie:
image: ghcr.io/mealie-recipes/mealie:v3.10.2
container_name: mealie
restart: unless-stopped
# ports:
# - "9000:9000"
networks:
- caddy_internal
dns:
- 192.168.1.131 # pi-hole
deploy:
resources:
limits:
memory: 2000M #
volumes:
- /srv/rundata/mealie/mealie_data:/app/data/
env_file:
- .env
environment:
SMTP_FROM_EMAIL_FILE: /run/secrets/SMTP_FROM_EMAIL
SMTP_USER_FILE: /run/secrets/SMTP_USER
SMTP_PASSWORD_FILE: /run/secrets/SMTP_PASSWORD
OPENAI_API_KEY_FILE: /run/secrets/OPENAI_API_KEY
secrets:
- SMTP_FROM_EMAIL
- SMTP_USER
- SMTP_PASSWORD
- OPENAI_API_KEY
networks:
caddy_internal:
external: true
secrets:
SMTP_FROM_EMAIL:
file: /run/secrets/mealie/SMTP_FROM_EMAIL
SMTP_USER:
file: /run/secrets/mealie/SMTP_USER
SMTP_PASSWORD:
file: /run/secrets/mealie/SMTP_PASSWORD
OPENAI_API_KEY:
file: /run/secrets/mealie/OPENAI_API_KEY

28
hosts/home-morefine/docker/mealie/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
OPENAI_API_KEY: ENC[AES256_GCM,data:je5aR2mmV+e87AcWwpr8AsdaubDSTZWcNmLbWSkKowz6shl6VFBY6F30HDq8ZpVmTZgxFYoXqolzp/NOOdfCpgK4feduMMB5/dV2y66SA7K4nI/iQrFhY9ynDTMCRkIJ+7YPIpH8NX0V5xM72OaB6ax2VYmfQXbBGt74FCqe4bNgy2QOZBhVEMPADi67oGsv0+bfUNtTMepvZqgSZEI5TD9A7gI=,iv:xiAU+uttRIYJ2VbRadRlDFa6Dh84GWmK6YY0N2lz/EU=,tag:us+Gqd8VIYFusIf0RpBJpQ==,type:str]
SMTP_FROM_EMAIL: ENC[AES256_GCM,data:zAR1DkpDHKGUSbtr2SsdpM3te0g=,iv:8c+Oh041FRq3Pxol2V5y1NswDsaFu3jWra/av2nzcLo=,tag:JMKyrG0Pd/1avZUoz4EC0w==,type:str]
SMTP_USER: ENC[AES256_GCM,data:Eu54STOpUBEhDsgOYg3HNDpf,iv:vuvqnZ0aZNbRbhaGEV97QmTcKfUGvgjuxU++KvZvtOk=,tag:XJf98vJ7hgRkFT16VhV50Q==,type:str]
SMTP_PASSWORD: ENC[AES256_GCM,data:ojuqLrn21mGEsBwREJnHcw==,iv:f9hQi6rbLGMvlMF/eUHqnDh9i/vnF9PtWzI61PsuNK8=,tag:lzgJXXpxIY9YkbJLSZLv4w==,type:str]
sops:
age:
- recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzaWZCK2tCVEo5UnFZMUQy
VWRVN3ZaNzlsUGZnVjJ4Q0FoTE00VkFVYkdZClBTajFBYVhJZUlYdEdQRWFTY3Iy
Y1B4NmFUYkZJSmN6TzdlV25aMG1kYVEKLS0tIDRVRGJyRVBTYno2dG9nUzdTQTNw
bGl1YTE0NHl2dXhIbE1KQlptcWZKTlUKKiIh02s3ADYEf5QOtcVllU1jPga2R359
/IkK7PTWtrGh0334ChjPi8vsArDr661eSgMJQBT8cas+Z8LqbDmmJg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIeFN3T0xzblJ1SXZLaUZl
Myt2cFpCdUdZZm13SjFNWlprSVBvaDdOMEVZCkRROHBOalRXMHpxNUh5QWtXK0VR
cWV5aldRaWt6Z3JLSjVvWnJTQlZMeFUKLS0tIHh3anRTYitVTGhvR0dXYkp6QWs5
eTM3eEhrYkJSc3IxVGJlSzJmOUd6bncK8q0pHj60nXdWdqUV10dv02nkTtGHyLpb
WyzjLLLE+fqxZFASi+e5sM7cbCdYf/pronruobSszy1uEVDftIRy5Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T14:46:23Z"
mac: ENC[AES256_GCM,data:a+jLfsDyuB98ORFFOYF8Zn+yo+PmyUvtsBpUrDEs35L2883D+EvD1vwk/FlsGU7IRk5TgTZS921X+hdVTjXPwfjbE1IBnCzaXzgbrfGZXWbhXiDKfh6/yys9xJfJJKEAARNBNVPDv5ilrO7tf/5awmnb72xaWvdViv8pLsXJBZo=,iv:DNEDTBC4xNXADasU7WzQ5Mu9uF0+bofw5uMj07fruV8=,tag:WaAnknCd5pJcO2dzawh18g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

29
hosts/home-morefine/docker/pihole/docker-compose.yaml Normal file
View File

@@ -0,0 +1,29 @@
services:
pihole:
image: pihole/pihole:latest
container_name: pihole
restart: unless-stopped
networks:
- caddy_internal
ports:
# - "8081:80"
- "53:53/tcp"
- "53:53/udp"
environment:
TZ: 'Europe/Minsk'
WEBPASSWORD_FILE: /run/secrets/pihole/WEBPASSWORD
#FTLCONF_webserver_api_password: WEBPASSWORD_FILE
FTLCONF_dns_listeningMode: 'all'
volumes:
- /srv/rundata/pihole/etc-pihole:/etc/pihole/
- /srv/rundata/pihole/dnsmasq.d:/etc/dnsmasq.d/
dns:
- 127.0.0.1
- 1.1.1.1
# - 8.8.8.8
cap_add:
- NET_ADMIN
networks:
caddy_internal:
external: true

25
hosts/home-morefine/docker/pihole/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,25 @@
WEBPASSWORD: ENC[AES256_GCM,data:edQU3J4QPY7RsQuI1ZE=,iv:cGSMcG9olkMY93kNF386lPjBGHhUhj+mF/ly7vWMrq4=,tag:fNRBj3gRMQMytZWSOa66lQ==,type:str]
sops:
age:
- recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SXdIQktJUTNQRXVoenlu
Y2RsMmRuM084eHRTdnZnaG9uUFZhRHllZ3kwCjFYV01lR2d0ci9YR09TcVp4Y1lC
clNkckNEbUxZeHI5UnFPd2ZzZkVTNjAKLS0tIElSYlp6ZGg1UTNNQk5QbitjWlIy
QjBJM0h1bmw2eGt1Sy9WUFd0RmNMSTgK64gSZP+MSlrHx3//MLoJQf+Nyxgqx/ab
mdvw8x33dimOgJSPK8yJqxVAPzjasboz5Nm8CJsAemX+XyUJxh8nwA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WTlKV0lSOEZtU1NhVHBM
Z1NocEpUMXhpVDE1dW9lRk41cTlDdUthNEhzCkszVkc2NTJkbWRRTWx2b1p0d3dv
eThXT05LbDhBWHRCV1BYSnduMGNMQm8KLS0tIE1JbVZkblNXdktqUEYzak8zTmRL
amVHRDJlVUpxeFg0S0RmUXUrckN4VGsKlpPBESTbM+F2VjwwP/RiTFnPXZgW47n4
PdD5Tv7tqFCP/WDX+SWIgNvhSg9KqPYbtmy93wfkxYvOEc4e/mOq+w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T11:14:33Z"
mac: ENC[AES256_GCM,data:O5mdN3OPNcgaL+TRnYx4Shj9Xsyn3XFmCJqxx93FbGTgI8Se6m5sPrYBCfl2xhk2ZlejN5Ttk3rKRL2G4L02tPGK6JZxsUQ2O93W3nUCUXFo0nJhANjrb+piLa0B+NxVl23QSo/i2MYAhJwkH/qi9Tl/hXJybrAVRBIhKgKlGBc=,iv:BNdYQ6NYs/IMHMmmXOGB+2br0wA+VaxnzWUgELY49F0=,tag:t88fAbdEf6yriynFENsQZQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

31
hosts/home-morefine/docker/postgres/docker-compose.yml Normal file
View File

@@ -0,0 +1,31 @@
services:
postgres:
image: postgres:18
container_name: postgres
restart: unless-stopped
environment:
# POSTGRES_PASSWORD_FILE: /run/secrets/POSTGRES_PASSWORD
POSTGRES_INITDB_ARGS: "--data-checksums --locale=C --encoding=UTF8 --auth-host=scram-sha-256"
POSTGRES_HOST_AUTH_METHOD: "scram-sha-256"
TZ: Europe/Minsk
networks:
- postgres
ports:
- "127.0.0.1:5432:5432"
volumes:
- /srv/postgres18:/var/lib/postgresql
# secrets:
# - POSTGRES_PASSWORD
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 30s
timeout: 10s
retries: 3
#secrets:
# POSTGRES_PASSWORD:
# file: ./POSTGRES_PASSWORD
networks:
postgres:
name: postgres

20
hosts/home-morefine/docker/vaultwarden/docker-compose.yaml Normal file
View File

@@ -0,0 +1,20 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
environment:
DOMAIN: "https://passwords.catmedved.com"
volumes:
- /srv/rundata/vaultwarden/vw-data/:/data/
# ports:
# - 5080:80
networks:
- caddy_internal
dns:
- 192.168.1.131 # pi-hole
networks:
caddy_internal:
name: caddy_internal
external: true

25
hosts/lab-by-02/docker/beszel/docker-compose.yaml Normal file
View File

@@ -0,0 +1,25 @@
services:
beszel-agent:
image: henrygd/beszel-agent
container_name: beszel-agent
restart: unless-stopped
network_mode: host
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./beszel_agent_data:/var/lib/beszel-agent
# monitor other disks / partitions by mounting a folder in /extra-filesystems
# - /mnt/disk/.beszel:/extra-filesystems/sda1:ro
environment:
LISTEN: 45876
HUB_URL: https://beszel.catmedved.com
KEY_FILE: /run/secrets/AGENT_KEY
TOKEN_FILE: /run/secrets/AGENT_TOKEN
secrets:
- KEY_FILE
- TOKEN_FILE
secrets:
KEY_FILE:
file: /run/secrets/beszel/AGENT_KEY
TOKEN_FILE:
file: /run/secrets/beszel/AGENT_TOKEN

26
hosts/lab-by-02/docker/beszel/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,26 @@
AGENT_KEY: ENC[AES256_GCM,data:21+ujbBL/qZU/D7DhykaAgL1tg5puAa3Unh+saeO8sC2ozgAEIhgw/ctd0Bcq86F3yzhMyiP7MEJuVPOzxcODWehFnYpxhzLqqBIBWb/1QY=,iv:GIvs2L/3OuIzyzAIkwasZ+IyIQOmFe6GJeJ68VBH8XM=,tag:CZUrhBbTffPcSt+W0pbOLA==,type:str]
AGENT_TOKEN: ENC[AES256_GCM,data:K1QCpuyCT29VjdX0iBgLvsxu4jhAScCyNfka4EmYjxC9T2cR,iv:Cmo3rRUN3XNL3bFDuwaGeW0tlBCS61lG5XmCooNFXL0=,tag:k4doY+ymr3NasJg15hvvIg==,type:str]
sops:
age:
- recipient: age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdEg3MlBQc0orTmFKZmh0
OTg4bXpNQzFJWmJwaUNmVk9uNVNobmgwZ0JvCnErN2U0R1dFWmRCRjc2ZGZkTDcr
dy9FYUNzTUwyQUpXSm9kclJKYW55QjgKLS0tIEZKQTBCcndIMnVQQXN2ZDFqNWZN
Zkc3bm1taDd1b2d1VWcrVmxUTDJFcEUKXpe1NE1zZ+qKyCXDDXgEi6uVZ5WATOnT
ZjSP3bzPJBRPqz3zxAcrgwOKLNKJlk6IiCVCTkorzfQMv4iCuUsLQA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdnpPa1YrZGNwUk5ReUlH
NjFuMk1QV1ZPM0d1TkFmRXFSVGtidEk2SEZRCklTdVhIL1dRRm9mdjg4SGZjenVo
dmxYZ2ZEaW1FeDQvNWFSOHJucjNHdmcKLS0tIDhvclZIMDlwajFqbW9DTHUwZHJJ
U1cyQzc3TlhybW43cS96QWxzYjlPcUkKB28IAAO5PpUlef8JnD8JvWxvdoToWOgA
LV3lhShJr+/CcT9o5Sxt9ijY5FNUDA/H8nVlECgoTfE0B9mmCiXL7g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-13T15:18:29Z"
mac: ENC[AES256_GCM,data:rYkCfNnsM6AWXnv/8dFGqCWf5wRVM6YS9ZnUjWuzRnlhuHnwMxPFxEoLeo445/dVkflBlnMeVKtkMZlM9byd3aWK4mcIiqxeZ+MTAjMt2jzqqj7Kf/j2BoCAazpJSkqqFCfCpp0IXPtWQPZTEz7Ki4ozZUeHa73+nZoqjNPDSC8=,iv:yn4atWog6/yYw1ZYlTK7eZdyUTv0d1D66B/9/QL0joo=,tag:fe50DGtkRM2HiZno8IIVSg==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0

34
hosts/lab-by-02/docker/caddy/Caddyfile Normal file
View File

@@ -0,0 +1,34 @@
{
email ulakar@fastmail.com
admin off
}
# B
beszel.catmedved.com {
reverse_proxy http://10.8.0.3:8090
}
# G
gameyfin.catmedved.com {
reverse_proxy http://10.8.0.3:8080
}
# M
media.kladovka52.com {
reverse_proxy http://10.8.0.4:8096
}
music.catmedved.com {
reverse_proxy http://10.8.0.3:4533
}
# P
photo.catmedved.com {
reverse_proxy http://10.8.0.3:2283
}
# V
vpnwg.ulakar.com {
reverse_proxy localhost:51821
}
}

26
hosts/lab-by-02/docker/caddy/docker-compose.yml Normal file
View File

@@ -0,0 +1,26 @@
services:
caddy:
image: caddy:latest
container_name: caddy
restart: unless-stopped
# networks:
# - caddy
network_mode: "container:wgeasy"
# ports:
# - "80:80"
# - "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy_data:/data
- caddy_config:/config
environment:
- TZ=Europe/Minsk
#networks:
# caddy:
# name: caddy
# external: false
volumes:
caddy_data:
caddy_config:

19
hosts/lab-by-02/docker/wgeasy/data/wg0.sops.conf Normal file
View File

File diff suppressed because one or more lines are too long

45
hosts/lab-by-02/docker/wgeasy/docker-compose.yml Normal file
View File

@@ -0,0 +1,45 @@
services:
wg-easy:
environment:
# Optional:
# - PORT=80
# - HOST="vpnwg.ulakar.com"
- INSECURE=false
image: ghcr.io/wg-easy/wg-easy:15
container_name: wgeasy
networks:
# caddy:
wg:
ipv4_address: 10.42.42.42
ipv6_address: fdcc:ad94:bacf:61a3::2a
volumes:
- ./data:/etc/wireguard
- /lib/modules:/lib/modules:ro
ports:
- "51820:51820/udp"
- "80:80"
- "443:443"
# - "51821:51821/tcp"
restart: unless-stopped
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.all.forwarding=1
- net.ipv6.conf.default.forwarding=1
networks:
# caddy:
# external: true
wg:
driver: bridge
enable_ipv6: true
ipam:
driver: default
config:
- subnet: 10.42.42.0/24
- subnet: fdcc:ad94:bacf:61a3::/64

9
hosts/lab-by-02/docker/wgeasy/readme.md Normal file
View File

@@ -0,0 +1,9 @@
regular config path: `/etc/wireguard/wg0.conf`
wgeasy adds row to match json with wg0 conf:
`# Client: Name (Id)`
Example:
`# Client: Jalezze (4073b49a-ad08-4324-b4d0-bfe04d743fd3)`

79
hosts/lab-by-02/initial_setup.sh Normal file
View File

@@ -0,0 +1,79 @@
#!/usr/bin/env bash
set -euo pipefail
### ==== CONFIG ====
NEW_USER="vk"
NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
HOSTNAME_FQDN="lab-by-02.ulakar.com"
### ===================================
if [[ "$(id -u)" -ne 0 ]]; then
echo "Run this script under root user" >&2
exit 1
fi
echo "== Update System =="
apt-get update -y
apt-get upgrade -y
if [[ -n "$HOSTNAME_FQDN" ]]; then
echo "== Set hostname: $HOSTNAME_FQDN =="
hostnamectl set-hostname "$HOSTNAME_FQDN"
fi
echo "== Create user $NEW_USER =="
if id "$NEW_USER" >/dev/null 2>&1; then
echo "User $NEW_USER already exists. Skip."
else
adduser --disabled-password --gecos "" "$NEW_USER"
fi
echo "== Add $NEW_USER into sudo =="
usermod -aG sudo "$NEW_USER"
# allow sudo commands without password
echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
sudo chmod 440 "/etc/sudoers.d/$NEW_USER"
echo "== Setup SSH-key for $NEW_USER =="
USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
mkdir -p "$USER_HOME/.ssh"
chmod 700 "$USER_HOME/.ssh"
AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
touch "$AUTH_KEYS"
grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
chmod 600 "$AUTH_KEYS"
chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"
echo "== Setup SSH =="
cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
PermitRootLogin no
PasswordAuthentication no
EOF
echo "== Reload SSH daemon =="
if systemctl reload ssh 2>/dev/null; then
echo "SSH reloaded via ssh.service"
elif systemctl reload sshd 2>/dev/null; then
echo "SSH reloaded via sshd.service"
else
echo "Warning: could not reload SSH daemon"
fi
echo "== Install base utilities =="
apt-get install -y \
net-tools \
htop \
curl \
wget \
git \
vim \
gnupg \
ca-certificates \
lsb-release
echo "== Finished. Check SSH for $NEW_USER =="

13
hosts/lab-by-02/install_base_utilities.sh Normal file
View File

@@ -0,0 +1,13 @@
echo "== Install base utilities =="
apt-get install -y \
net-tools \
htop \
curl \
wget \
git \
vim \
gnupg \
ca-certificates \
lsb-release
echo "== Finished install base utilities =="

8
hosts/lab-by-02/setup_docker.sh Normal file
View File

@@ -0,0 +1,8 @@
echo "== Docker: install from get.docker.com =="
curl -fsSL https://get.docker.com | sh
echo "== Docker: add $NEW_USER into docker group =="
usermod -aG docker "$NEW_USER"
systemctl enable --now docker
echo "== Finished docker installation =="

4
hosts/lab-by-02/setup_fail2ban.sh Normal file
View File

@@ -0,0 +1,4 @@
echo "== Fail2ban =="
apt-get install -y fail2ban
systemctl enable --now fail2ban
echo "== Fail2ban enabled =="

12
hosts/lab-by-02/setup_ufw.sh Normal file
View File

@@ -0,0 +1,12 @@
echo "== UFW =="
apt-get install -y ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
# enable with interactive = off
echo "y" | ufw enable
echo "== UFW enabled =="

41
shared/sops-decrypt.sh
View File

@@ -25,26 +25,41 @@ for service_dir in ./*/; do
service_name="${service_dir#./}" # remove leading './': './service/' -> 'service/'
service_name="${service_name%/}" # remove trailing '/': 'service/' -> 'service'
secrets_file="./${service_name}/secrets.sops.yaml"
[[ -f "$secrets_file" ]] || continue
yaml_secrets_file="./${service_name}/secrets.sops.yaml"
env_secrets_file="./${service_name}/secrets.sops.env"
[[ -f "$yaml_secrets_file" || -f "$env_secrets_file" ]] || continue
out_dir="${OUT_ROOT}/${service_name}"
install -d -m "$DIR_MODE" -o root -g "$SECRETS_GROUP" -- "$out_dir"
sops -d "$secrets_file" \
| yq -r -0 'to_entries[] | [.key, .value] | .[]' \
| while IFS= read -r -d '' key && IFS= read -r -d '' value; do
[[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
if [[ -f "$yaml_secrets_file" ]]; then
sops -d "$yaml_secrets_file" \
| yq -r -0 'to_entries[] | [.key, .value] | .[]' \
| while IFS= read -r -d '' key && IFS= read -r -d '' value; do
[[ "$key" =~ ^[A-Za-z0-9_][-A-Za-z0-9_]*$ ]] || { echo "skip bad key: $key" >&2; continue; }
tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
tmp_val="$(mktemp "${out_dir}/.${key}.XXXXXX")"
printf '%s' "$value" > "$tmp_val"
printf '%s' "$value" > "$tmp_val"
chown root:"$SECRETS_GROUP" "$tmp_val"
chmod "$FILE_MODE" "$tmp_val"
chown root:"$SECRETS_GROUP" "$tmp_val"
chmod "$FILE_MODE" "$tmp_val"
mv -f -- "$tmp_val" "${out_dir}/${key}"
done
mv -f -- "$tmp_val" "${out_dir}/${key}"
done
fi
if [[ -f "$env_secrets_file" ]]; then
tmp_env="$(mktemp "${out_dir}/.secrets.env.XXXXXX")"
sops -d "$env_secrets_file" > "$tmp_env"
chown root:"$SECRETS_GROUP" "$tmp_env"
chmod "$FILE_MODE" "$tmp_env"
mv -f -- "$tmp_env" "${out_dir}/secrets.env"
fi
echo "sops ok: ${service_name}"
done
done